# $OpenBSD: bgpd.conf,v 1.1 2014/07/11 17:10:30 henning Exp $
# sample bgpd configuration file
# see bgpd.conf(5)

#macros
peer1="10.1.0.2"
peer2="10.1.0.3"

# global configuration
AS 65001
router-id 10.0.0.1
# holdtime 180
# holdtime min 3
# listen on 127.0.0.1
# listen on ::1
# fib-update no
# route-collector no
# log updates
# network 10.0.1.0/24

# restricted socket for bgplg(8)
# socket "/var/www/run/bgpd.rsock" restricted

# neighbors and peers
group "peering AS65002" {
	remote-as 65002
	neighbor $peer1 {
		descr	"AS 65001 peer 1"
		announce self
		tcp md5sig password mekmitasdigoat
	}
	neighbor $peer2 {
		descr "AS 65001 peer 2"
		announce all
		local-address 10.0.0.8
		ipsec esp ike
	}
}

group "peering AS65042" {
	descr "peering AS 65042"
	local-address 10.0.0.8
	ipsec ah ike
	neighbor 10.2.0.1
	neighbor 10.2.0.2
}

neighbor 10.0.1.0 {
	remote-as	65003
	descr		upstream
	multihop	2
	local-address	10.0.0.8
	passive
	holdtime	180
	holdtime min	3
	announce	none
	tcp md5sig key	deadbeef
}

neighbor 10.0.2.0 {
	remote-as	65004
	descr		upstream2
	local-address	10.0.0.8
	ipsec ah ike
}

neighbor 10.0.0.0/24 {
	descr		"template for local peers"
}

neighbor 10.2.1.1 {
	remote-as 65023
	local-address 10.0.0.8
	ipsec esp in  spi 10 sha1 0a4f1d1f1a1c4f3c9e2f6f0f2a8e9c8c5a1b0b3b \
	    aes 0c1b3a6c7d7a8d2e0e7b4f3d5e8e6c1e
	ipsec esp out spi 12 sha1 0e9c8f6a8e2c7d3a0b5d0d0f0a3c5c1d2b8e0f8b \
	    aes 4e0f2f1b5c4e3c0d0e2f2d3b8c5c8f0b
}

# filter out prefixes longer than 24 or shorter than 8 bits for IPv4
# and longer than 48 or shorter than 16 bits for IPv6.
deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 16 - 48

# accept a default route (since the previous rule blocks this)
#allow from any prefix 0.0.0.0/0
#allow from any prefix ::/0

# filter bogus networks according to RFC5735
deny from any prefix 0.0.0.0/8 prefixlen >= 8		# 'this' network [RFC1122]
deny from any prefix 10.0.0.0/8 prefixlen >= 8		# private space [RFC1918]
deny from any prefix 100.64.0.0/10 prefixlen >= 10	# CGN Shared [RFC6598]
deny from any prefix 127.0.0.0/8 prefixlen >= 8 	# localhost [RFC1122]
deny from any prefix 169.254.0.0/16 prefixlen >= 16	# link local [RFC3927]
deny from any prefix 172.16.0.0/12 prefixlen >= 12	# private space [RFC1918]
deny from any prefix 192.0.2.0/24 prefixlen >= 24	# TEST-NET-1 [RFC5737]
deny from any prefix 192.168.0.0/16 prefixlen >= 16	# private space [RFC1918]
deny from any prefix 198.18.0.0/15 prefixlen >= 15	# benchmarking [RFC2544]
deny from any prefix 198.51.100.0/24 prefixlen >= 24	# TEST-NET-2 [RFC5737]
deny from any prefix 203.0.113.0/24 prefixlen >= 24	# TEST-NET-3 [RFC5737]
deny from any prefix 224.0.0.0/4 prefixlen >= 4 	# multicast
deny from any prefix 240.0.0.0/4 prefixlen >= 4 	# reserved

# filter bogus IPv6 networks according to IANA
deny from any prefix ::/8 prefixlen >= 8
deny from any prefix 0100::/64 prefixlen >= 64		# Discard-Only [RFC6666]
deny from any prefix 2001:2::/48 prefixlen >= 48	# BMWG [RFC5180]
deny from any prefix 2001:10::/28 prefixlen >= 28	# ORCHID [RFC4843]
deny from any prefix 2001:db8::/32 prefixlen >= 32	# docu range [RFC3849]
deny from any prefix 3ffe::/16 prefixlen >= 16		# old 6bone
deny from any prefix fc00::/7 prefixlen >= 7		# unique local unicast
deny from any prefix fe80::/10 prefixlen >= 10		# link local unicast
deny from any prefix fec0::/10 prefixlen >= 10		# old site local unicast
deny from any prefix ff00::/8 prefixlen >= 8		# multicast
